Screen OS

I'm a newbie about Screen OS. I know Virtual Routers (VRs) on SSG5, one VR has individual routing table. one Security Zones binding to VR. Interfaces has been binding to Zone. 

I know forwarding traffic between VRs. But I don't Zones? traffic communication between two Zones on VR, VRs. 

Pls explain for me.

Hello 

It depends on source/destination interfaces , routing lookup will identify the destination interface where to forward traffic  (source interface already known) , so the source interface will identify the source zone , destination interface will identify the destination zone , just you need to define security policy from source zone to destination zone to permit traffic forwarding between zones. 

Regards

Pls define simply about zone. I dont' know exactly about it. 

Security zones are logical entities to which one or more interfaces are bound.  they are used to divide the network into segments (distinguishing groups of hosts ) to which you can apply various security options to satisfy the needs of each segment.

At a minimum, you must define two security zones, basically to protect one area of the network from the other. by defining many security zones, you will bring finer granularity to your network security design

From the perspective of security policies, traffic enters into one security zone (indentified by source interface) and goes out on another security zone (indentified by destination interface after routing lookup) . This combination of a "from zone" and a "to zone" is defined as a context for security policies. Each context contains an ordered list of policies

Regards

Each policy also has actions associated with it: permit, deny, and reject.

Pls explain deny vs reject?

The deny option will block the traffic and send a tcp reset.

The reject option silently drops the traffic with no response to the requester.

Hi Steve , 

I think you mean the reverse, 

deny is silent drop and reject it will drop the traffic and send  ICMP destination unreachable type 3 to the client.

Regards

Red1 

You're right Red1, my memory fails me and had this backwards.

From the Concepts and examples guide.

Action

An action is an object that describes what the firewall does to the traffic it receives.

■ Deny blocks the packet from traversing the firewall.
■ Permit allows the packet to pass the firewall.
■ Reject blocks the packet from traversing the firewall. The security device drops the packet and sends a TCP reset (RST) segment to the source host for TCP traffic and an ICMP “destination unreachable, port unreachable” message (type 3, code 3) for UDP traffic. For types of traffic other than TCP and UDP, the security device drops the packet without notifying the source host, which is also what occurs when the action is “ deny.”